Two recent European Court of Justice (ECJ) rulings have made clear that the policing of data in Europe should not be carried out by Internet Service Providers (ISPs).

Both of these cases involve SABAM, a Belgian company responsible for authorising music rights.

The first ruling came on 24th November 2011:
““E.U. law precludes an injunction made against an Internet service provider requiring it to install a system for filtering all electronic communications passing via its services, which applies indiscriminately to all its customers, as a preventive measure, exclusively at its expense, and for an unlimited period,” the court wrote.” http://www.nytimes.com/2011/11/25/technology/eu-court-rejects-call-for-isps-to-curb-illegal-file-sharing.html

“The court said that while content providers can ask ISPs to block specific sites, wider filtering was in breach of the E-Commerce Directive.” http://www.bbc.co.uk/news/technology-15871961

“A social network cannot be required to install an anti-piracy filtering system, the European Court of Justice (ECJ) has ruled. Belgian music royalty collecting firm SABAM wanted the social network Netlog to stop users infringing copyright. But the court said the filtering required would contravene rights to freedom of business, personal data and freedom of information.” http://www.bbc.co.uk/news/technology-17060112

Rights holders, in conjunction with the European Commission [Commissioner Neelie Kroes @NeelieKroesEU ] via the Digital Agenda for Europe [ @DigitalAgendaEU ], have been pushing to allow the monitoring of ALL web traffic, to test internet traffic for infringing content. This means that the innocent as well as the guilty would need to have their data searched.

I am glad “The court [ECJ] ruled that the filtering could infringe the rights of customers and their right to protect their own data. It could also mean that legal content was blocked.” [also in the first BBC link].

Automated filtering systems could (and probabily would) offer up false positives, that is, these automated system would mark some content that is legal, as illegal. Automatic filtering systems are not fool-proof and in their foolishness they could, if programmed to block what they deem as illegal content, block legal content [and example of an automated take-down system that went wrong: http://tinyurl.com/7hhsgve ]. The ECJ understands this point even if Rights holders and pushers-of-ACTA do not or do not care.
There are many Parties to ACTA, one is the United States of America. Each Party to ACTA has their own laws and their own jurisdictions. In the US, various laws such as the Patriot Act and the proposed Cyber-security bill, go way beyond European laws (‘acquis’ [http://en.wikipedia.org/wiki/Community_acquis ]).

This brings me to my point. European businesses and citizens’ data is protected under European laws while it is located in and moves around Europe. It is not protected under European law when located outside or moves outside Europe.

Justice Commissioner Viviane Reding makes my point in a discussion on PNR (Passenger Name Records) and “has insisted that US authorities cannot override EU laws on data privacy, following concerns expressed by MEPs that certain US laws and legal subpoenas could force EU companies to disclose personal data to US law enforcement agencies.Speaking on Wednesday night in a debate called by Liberal MEPs in Strasbourg, Commissioner Reding told MEPs that “any processing of personal data in the EU has to respect the applicable EU data protection law”, adding that a US law enforcement authority would have to use “existing channels of cooperation and mutual legal assistance agreements” if they wanted data and information from companies in the EU.”http://euobserver.com/871/115299

Many internet companies locate European data outside European jurisdiction and this then falls under the jurisdiction of those extra-EU states. Facebook, Twitter, etc, falls under extra-EU jurisdiction and laws. The United States of America says that any website site with a “.com” or “.net” address falls under its jurisdiction.

This means that European businesses and citizens’ data that is located in or travels through US jurisdictiona can be monitored, searched, seized and blocked at the whim of the United States of America’s laws, all legally [under US law). This monitoring, searching, seizure and blocking goes way beyond what would be allowed in the EU under EU law (EU acquis).

This is why I say European data should be ‘black-boxed’ (held and contained) within Europe’s jurisdiction until such a time as extra-EU states [including Parties to ACTA] GUARANTEE that European businesses and citizens’ data is protected at least as much as European laws affords it.

There will be much work involved to get this European ‘black-box’ up and running. There will be issues and opportunities, but it would be worth it for Europe in terms of increased online safety for European businesses and citizens, as well as newly created job opportunities for European businesses and citizens.